Title: tripwire install Subject: setting up and using tripwire Maintenance: After logrotate changes the inode of every log, I had to update the db. /usr/sbin/tripwire \ -m u \ -p /etc/tripwire/tw.pol \ -r /var/lib/tripwire/report/myserver-20020715-020000.twr \ -a Bar bones setup: ---------------------------------------------------------------------- tar -xzvpf Tripwire_221_for_Linux_x86.tar.gz ---------------------------------------------------------------------- ./install.sh ---------------------------------------------------------------------- Continue with installation? [y/n] y ---------------------------------------------------------------------- Continue with installation? [y/n] y ---------------------------------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. ---------------------------------------------------------------------- See the Tripwire manual for more information. Creating key files... ---------------------------------------------------------------------- Enter the site keyfile passphrase: Verify the site keyfile passphrase: ---------------------------------------------------------------------- Enter the local keyfile passphrase: Verify the local keyfile passphrase: ---------------------------------------------------------------------- Generating Tripwire configuration file... ---------------------------------------------------------------------- Creating signed configuration file... Please enter your site passphrase: Wrote configuration file: /usr/TSS/bin/tw.cfg ---------------------------------------------------------------------- A clear-text version of the Tripwire configuration file /usr/TSS/bin/twcfg.txt has been preserved for your inspection. It is recommended that you delete this file manually after you have examined it. ---------------------------------------------------------------------- Creating signed policy file... Please enter your site passphrase: Wrote policy file: /usr/TSS/policy/tw.pol ---------------------------------------------------------------------- A clear-text version of the Tripwire policy file /usr/TSS/policy/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. ---------------------------------------------- The installation succeeded. Please refer to /usr/TSS/Release_Notes for release information and to the printed user documentation for further instructions on using Tripwire 2.2.1 for Unix. =========================================================== using the rpm: rpm install of tripwire: Several important points: -------------------------------------------------------- 1. A clear-text version of the Tripwire policy file /etc/tripwire/twpol.txt -------------------------------------------------------- 2. You should edit the policy file to describe your system, and then use twadmin to generate a signed copy of the Tripwire policy. -------------------------------------------------------- 3. IMPORTANT: To complete the Tripwire 2.3 installation, you must run the configuration script: /etc/tripwire/twinstall.sh -------------------------------------------------------- 4. If you wish to change the contents of your policy file, /etc/tripwire/twpol.txt you may want to do so before running this script. -------------------------------------------------------- 5. Please refer to /usr/doc/tripwire/README for release information and to the printed user documentation for further instructions on using Open Source Tripwire 2.3 for Linux. -------------------------------------------------------- Runit /usr/sbin/tripwire --help /usr/sbin/tripwire -m i $tmpfile if [ $? != 0 -a -f $tmpfile ] then cat $tmpfile | $MailBin -s "Security Warning!" $sysadmin fi rm -f $tmpfile else echo No database file?! fi ----------------------------------------------------------- This is a modified pol file I found for suse: suse.twpol.txt @@section GLOBAL TWROOT="/usr/TSS"; TWBIN="/usr/TSS/bin"; TWPOL="/usr/TSS/policy"; TWDB="/usr/TSS/db"; TWSKEY="/usr/TSS/key"; TWLKEY="/usr/TSS/key"; TWREPORT="/usr/TSS/report"; HOSTNAME=johns; @@section FS SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - we can't afford to miss any changes. SEC_SUID = $(IgnoreNone)-SHa; # Binaries with the SUID or SGID flags set. SEC_TCB = $(ReadOnly); # Members of the Trusted Computing Base. SEC_BIN = $(ReadOnly); # Binaries that shouldn't change SEC_CONFIG = $(Dynamic); # Config files that are changed infrequently but accessed often. SEC_LOG = $(Growing); # Files that grow, but that should never change ownership. SEC_INVARIANT = +pug; # Directories that should never change permission or ownership. SIG_LOW = 33; # Non-critical files that are of minimal security impact SIG_MED = 66; # Non-critical files that are of significant security impact SIG_HI = 100; # Critical files that are significant points of vulnerability # Tripwire Binaries (rulename = "Tripwire Binaries", severity = $(SIG_HI)) { $(TWBIN)/siggen -> $(ReadOnly); $(TWBIN)/tripwire -> $(ReadOnly); $(TWBIN)/twadmin -> $(ReadOnly); $(TWBIN)/twprint -> $(ReadOnly); } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases ( rulename = "Tripwire Data Files", severity = $(SIG_HI)) { # NOTE: Removing the inode attribute because when Tripwire creates a backup # it does so by renaming the old file and creating a new one (which will # have a new inode number). Leaving inode turned on for keys, which shouldn't # ever change. # NOTE: this rule will trigger on the first integrity check after database # initialization, and each integrity check afterward until a database update # is run, since the database file will not exist before that point. $(TWDB) -> $(Dynamic) -i; $(TWPOL)/tw.pol -> $(SEC_BIN) -i; $(TWBIN)/tw.cfg -> $(SEC_BIN) -i; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWSKEY)/site.key -> $(SEC_BIN) ; #don't scan the individual reports $(TWREPORT) -> $(Dynamic) (recurse=0); } # Commonly accessed directories that should remain static with regards to owner and group (rulename = "Invariant Directories", severity = $(SIG_MED)) { / -> $(SEC_INVARIANT) (recurse = 0); /home -> $(SEC_INVARIANT) (recurse = 0); /etc -> $(SEC_INVARIANT) (recurse = 0); } # setuid/setgid root programs (rulename = "setuid/setgid", severity = $(SIG_HI)) { /bin/su -> $(SEC_SUID); /bin/mount -> $(SEC_SUID); /bin/umount -> $(SEC_SUID); /bin/ping -> $(SEC_SUID); /bin/login -> $(SEC_SUID); /sbin/dump -> $(SEC_SUID); /sbin/restore -> $(SEC_SUID); /sbin/cardctl -> $(SEC_SUID); /usr/X11R6/bin/Xwrapper -> $(SEC_SUID); /usr/X11R6/bin/xterm -> $(SEC_SUID); /usr/X11R6/bin/XConsole -> $(SEC_SUID); /usr/X11R6/bin/xscreensaver -> $(SEC_SUID); /usr/bin/at -> $(SEC_SUID); /usr/bin/chage -> $(SEC_SUID); /usr/bin/gpasswd -> $(SEC_SUID); /usr/bin/lpq -> $(SEC_SUID); /usr/bin/lpr -> $(SEC_SUID); /usr/bin/lprm -> $(SEC_SUID); /usr/bin/passwd -> $(SEC_SUID); /usr/bin/suidperl -> $(SEC_SUID); /usr/bin/procmail -> $(SEC_SUID); /usr/bin/rcp -> $(SEC_SUID); /usr/bin/rlogin -> $(SEC_SUID); /usr/bin/screen -> $(SEC_SUID); /usr/bin/chfn -> $(SEC_SUID); /usr/bin/chsh -> $(SEC_SUID); /usr/bin/newgrp -> $(SEC_SUID); /usr/bin/cu -> $(SEC_SUID); /usr/bin/uucp -> $(SEC_SUID); /usr/bin/uuname -> $(SEC_SUID); /usr/bin/uustat -> $(SEC_SUID); /usr/bin/uux -> $(SEC_SUID); /usr/bin/crontab -> $(SEC_SUID); /usr/bin/zgv -> $(SEC_SUID); /usr/sbin/sendmail -> $(SEC_SUID); /usr/sbin/traceroute -> $(SEC_SUID); /usr/sbin/uucico -> $(SEC_SUID); /usr/sbin/uuxqt -> $(SEC_SUID); } # Temporary directories (rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW)) { /usr/tmp -> $(SEC_INVARIANT); /var/tmp -> $(SEC_INVARIANT); /tmp -> $(SEC_INVARIANT); } # Local files (rulename = "User binaries", severity = $(SIG_MED)) { /usr/local/bin -> $(SEC_BIN) (recurse = 1); /sbin -> $(SEC_BIN) (recurse = 1); /usr/sbin -> $(SEC_BIN) (recurse = 1); /usr/bin -> $(SEC_BIN) (recurse = 1); } (rulename = "Configuration Files") { /etc/hosts -> $(SEC_CONFIG); /etc/inetd.conf -> $(SEC_CONFIG); /etc/inittab -> $(SEC_CONFIG); /etc/resolv.conf -> $(SEC_CONFIG); /etc/syslog.conf -> $(SEC_CONFIG); /etc/smb.conf -> $(SEC_CONFIG); } (rulename = "Shell Binaries") { /bin/bash -> $(SEC_BIN); /bin/csh -> $(SEC_BIN); /bin/ksh -> $(SEC_BIN); #/bin/psh -> $(SEC_BIN); #/bin/rsh -> $(SEC_SUID); #/bin/Rsh -> $(SEC_BIN); /bin/sh -> $(SEC_BIN); /bin/tcsh -> $(SEC_BIN); #/local/bin/bash -> $(SEC_BIN); #/local/bin/tcsh -> $(SEC_BIN); } (rulename = "Security Control") { /etc/group -> $(SEC_CRIT); /etc/security/ -> $(SEC_CRIT); /var/adm/ -> $(SEC_CRIT); } (rulename = "Boot Scripts") { /etc/rc.d/rc -> $(SEC_CONFIG); /etc/rc.d/network -> $(SEC_CONFIG); /etc/rc.d/serial -> $(SEC_CONFIG); /etc/rc.d/nfs -> $(SEC_CONFIG); /etc/rc.d/powerfail -> $(SEC_CONFIG); } (rulename = "Login Scripts") { /etc/csh.cshrc -> $(SEC_CONFIG); /etc/csh.login -> $(SEC_CONFIG); /etc/profile -> $(SEC_CONFIG); } # Libraries (rulename = "Libraries", severity = $(SIG_MED)) { /usr/lib -> $(SEC_BIN); /usr/local/lib -> $(SEC_BIN); } # These files are critical to a correct system boot. (rulename = "Critical system boot files", severity = 100) { # the kernel files /boot -> $(SEC_CRIT) ; !/boot/System.map ; !/boot/module-info ; # other boot files may exist. Look for: # /ufsboot -> $(SEC_CRIT) ; } # These files change every time the system boots (rulename = "System boot changes", severity = $(SIG_HI)) { !/root/.gnome; !/root/.enlightenment; /dev/log -> $(Dynamic) ; /dev/cua0 -> $(Dynamic) ; /dev/tty2 -> $(Dynamic) ; # tty devices /dev/tty3 -> $(Dynamic) ; # are extremely /dev/tty4 -> $(Dynamic) ; # variable /dev/tty5 -> $(Dynamic) ; /dev/tty6 -> $(Dynamic) ; /dev/urandom -> $(Dynamic) ; /dev/initctl -> $(Dynamic) ; /var/lock/subsys -> $(Dynamic) ; /var/lock/subsys/httpd -> $(Dynamic) ; /var/run -> $(Dynamic) ; # daemon PIDs /var/spool/lpd/lpd.lock -> $(Dynamic) ; /var/log -> $(Dynamic) ; /etc/issue.net -> $(Dynamic) ; /etc/ioctl.save -> $(Dynamic) ; /etc/issue -> $(Dynamic) ; /etc/.pwd.lock -> $(Dynamic) ; /etc/mtab -> $(Dynamic) ; /lib/modules -> $(Dynamic) ; } # These files change the behavior of the root account (rulename = "Root config files", severity = 100) { # /.profile -> $(SEC_CRIT) ; # /.kshrc -> $(SEC_CRIT) ; # /.cshrc -> $(SEC_CRIT) ; /root -> $(SEC_CRIT) ; } # Critical configuration files (rulename = "Critical configuration files", severity = $(SIG_HI)) { /etc/conf.modules -> $(ReadOnly) ; /etc/crontab -> $(ReadOnly) ; /etc/cron.hourly -> $(ReadOnly) ; /etc/cron.daily -> $(ReadOnly) ; /etc/cron.weekly -> $(ReadOnly) ; /etc/cron.monthly -> $(ReadOnly) ; /etc/default -> $(ReadOnly) ; /etc/fstab -> $(ReadOnly) ; /etc/exports -> $(ReadOnly) ; /etc/group- -> $(ReadOnly) ; # changes should be infrequent /etc/host.conf -> $(ReadOnly) ; /etc/hosts.allow -> $(ReadOnly) ; /etc/hosts.deny -> $(ReadOnly) ; /etc/httpd/httpd.conf -> $(ReadOnly) ; # changes should be infrequent /etc/protocols -> $(ReadOnly) ; /etc/services -> $(ReadOnly) ; /etc/rc.d/init.d -> $(ReadOnly) ; /etc/rc.d -> $(ReadOnly) ; /etc/motd -> $(ReadOnly) ; # /etc/named.boot -> $(ReadOnly) ; /etc/passwd -> $(ReadOnly) ; /etc/passwd- -> $(ReadOnly) ; /etc/profile.d -> $(ReadOnly) ; /etc/rpc -> $(ReadOnly) ; /etc/nsswitch.conf -> $(ReadOnly) ; } # Critical devices (rulename = "Critical devices", severity = $(SIG_HI), recurse = false) { /dev/kmem -> $(Device) ; /dev/mem -> $(Device) ; /dev/null -> $(Device) ; /dev/zero -> $(Device) ; /proc/devices -> $(Device) ; /proc/net -> $(Device) ; /proc/sys -> $(Device) ; /proc/cpuinfo -> $(Device) ; /proc/modules -> $(Device) ; /proc/mounts -> $(Device) ; /proc/dma -> $(Device) ; /proc/filesystems -> $(Device) ; /proc/pci -> $(Device) ; /proc/interrupts -> $(Device) ; /proc/rtc -> $(Device) ; /proc/ioports -> $(Device) ; /proc/scsi -> $(Device) ; /proc/kcore -> $(Device) ; /proc/self -> $(Device) ; /proc/kmsg -> $(Device) ; /proc/stat -> $(Device) ; /proc/ksyms -> $(Device) ; /proc/loadavg -> $(Device) ; /proc/uptime -> $(Device) ; /proc/locks -> $(Device) ; /proc/version -> $(Device) ; /proc/mdstat -> $(Device) ; /proc/meminfo -> $(Device) ; /proc/cmdline -> $(Device) ; /proc/misc -> $(Device) ; } # Rest of critical system binaries (rulename = "OS executables and libraries", severity = $(SIG_HI)) { /bin -> $(ReadOnly) ; /lib -> $(ReadOnly) ; } ----------------------------------------------------------------------- ===================================================================== ### My customization ./twinstall.sh cp twpol.txt twpol..txt vi twpol..txt twadmin --create-polfile twpol..txt tripwire -m i /usr/sbin/tripwire -m c -d /var/lib/tripwire/.twd =====================================================================